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DETAILED ACTION 

1 . This action is in response to appiication amendments filed on 1 1-19-2009. 

2. Claims 1 - 4, 6 - 16, 18 - 26, 28 - 34 are pending. Claims 1, 13, 23 have been 
amended. Claims 5, 17, 27 have been cancelled. Claims 1, 13, 23 are independent. 
This application was filed 12-23-2003. 

Response to Arguments 

3. Applicant's arguments have been fully considered but were not persuasive. 

3.1 A 103 rejection (see Remarks Page 9-11) based on multiple references is a 
legitimate technique according to the MPEP. The current application is rejected based 
on the Williams, Woods and LEVY prior art references. The set of references are in the 
same field of endeavor as the claimed invention, the secure transfer of session 
information. The 103 rejection allows portions of a claimed invention to come from 
different prior art references. 

Ail references (Williams, Wood, and LEVY) disclose the transfer of session 
information such as identifiers, time/date information such as timestamps, and session 
state information between network-connected systems (servers, clients). A timestamp 
is a parameter available for transfer between systems in the management of session 
information. 
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3.2 Applicant argues that the referenced prior art does not disciose for Claims 1,13, 
and 23, transmitting a redirect message to said browser, thereby redirecting said 
request to the second server: and "in conjunction with said transmitting, transmitting 
said session ID and said timestamp directly to the second server". . 

Williams discloses redirecting a request to a second server or computer system, 
(see Williams paragraph [0067], lines 12-18: redirection of session information) if the 
request is redirected between networl<-connected systems, then the request is 
transmitted from one system to another system. The LEW prior art discloses the 
transfer a session ID and a data and time (a timestamp) parameter. (LEW paragraph 
[0070], lines 3-9: record is created; record consists of sessionjd, date and time 
(timestamp); messages including record are sent between to server) 

3.3 Applicant argues for claims 7, 8, 19, 20, 29. 30, rejection based on Bachman prior 
art. 

Bachman prior art is not used to disclose the transfer of session information 
between network-connected systems but is used to disclose a time-out capability. 
Williams, Woods, and Levy disclose the claims limitations for the independent claims. 

3.4 Applicant argues that the referenced prior art does not disclose, redirect message 
is transmitted to a destination distinct from the destination to which the session ID and 
the timestamp are transmitted. 

The Woods prior art specifically discloses a redirect response message 
transmitted in response to a redirect request. The redirect request and the initial 
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request are not transmitted to the same destination. The specification does not disclose 
the transmission of a redirect request message to a browser but a request message is 
received and that particular request message is redirected to another server. 
The specification discloses redirecting a request to another or a second server. The 
initial request is not a specific redirect request but a request message and that request 
message is redirected to another serx'er. 

3.5 The Williams prior art discloses the transfer of a timestamp parameter (within the 
token data structure) between two network-connected systems, (see Williams 
paragraph [0050], lines 1-5: token may include an optional timestamp) 

The Woods prior art discloses the direct transfer of session state parameters such 
as a session ID parameter and a time/date parameter between network-connected 
entities, (see Wood paragraph [0050], lines 15-17; some parameters can be passed 
directly between systems) The Williams and Woods combination discloses the 
transfer of a session ID and a timestamp parameter. - 

The LEVY prior art discloses the transfer of both a session !D parameter and a 
time and date or timestamp parameter between network-connected systems. (LEVY 
paragraph [0070], lines 3-9: record is created; record consists of sessionjd, date and 
time (timestamp)) 



4. 



Claim Rejections - 35 USC § 112 

The following is a quotation of the first paragraph of 35 U.S.C. 1 1 2: 
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The specification shaii contain a written description of the invention, and of the manner and process of 
malting and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the 
art to which it pertains, or with which it is most nearly connected, to make and use the same and shall 
set forth the best mode contempiated by the inventor of carrying out his invention. 

5. Claims 1, 13, 23 are rejected under 35 U.S.C. 112, first paragraph, as failing to 
comply with the written description requirement. The claim(s) contains subject matter 
which was not described in the specification in such a way as to reasonably convey to 
one skilled in the relevant art that the !nventor(s), at the time the application was filed, 
had possession of the claimed invention. There does not appear to be disclosure for 
the claim limitation: "transmitting a redirect message to said browser, thereby redirecting 
said request to the second server". The specification discloses redirecting a request to 
another server. There is no disclosure that the initial request is a redirect request. 
The system determines that the initial message must be redirected to another server. 
There is no disclosure that the initial message is initially a redirect message. The final 
disposition is for the message to be redirected. 

Claim Rejections - 35 USC § 103 

6. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

a) A patent may not be obtained though the invention is not identically disclosed or deschbed as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the phor art 
are such that the subject matter as a whole would have been obvious at the time the invention was made 
to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be 
negatived by the manner in which the invention was made. 

7. Claims 1 - 4, 6, 9 - 16, 18, 21 - 26, 28, 31 - 34 are rejected under 35 U.S.C. 
103(a) as being unpatentable over Williams et al. (US PGPUB No. 20030005118) in 
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view of Wood et al. (US PGPUB No. 20040210771) and further in view of LEVY et al. 
(US PGPUB No. 20020124074). 

With Regards to Claims 1, 23, Williams discloses a method, computer program 

product of secure session management for a web farm, the web farm including a first 
server and a second server, the second server having a requested web page, the 
method comprising: 

a) receiving, at the first server, a request for the requested web page from a 
browser, said request including an encrypted session token associated with a 
session; (see Williams paragraph [0016], lines 1-4: session management; 
paragraph [0019], lines 1-5: request processing; paragraph [0016], lines 1-4: 
session token; paragraph [0050], lines 10-16; paragraph [0051], lines 14-16: 
encryption utilized for security; paragraph [0016], lines 1-4: program product) 

Furthermore, Williams discloses the following: 

b) decrypting said encrypted session token at the first server to obtain a session 
information; (see Williams paragraph [0020], lines 8-1 1 : validate (must decryption 
required to process encrypted information) session information, process 
encrypted session information; paragraph [0016], lines 1-4: program product) 

d) verifying said session, (see Williams paragraph [0020], lines 8-11; paragraph 
[0074], lines 7-1 1 : validate session token information, client and session 
identification information; paragraph [0016], lines 1-4: program product) 



Furthermore, Williams discloses transmitting a redirect message to said browser. 
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thereby redirecting said request to the second server, (see Williams paragraph 
[0067], lines 12-18: redirection of session information) 

Williams does not specifically disclose including the transmission of said session 
token to the second server in a redirect request. 
However, Wood discloses: 

c) in coniunction with s aid transmitting, transmitting said session token to the 
second server; (see Wood paragraph [0044], lines 8-14; paragraph [0051], lines 
1-3: session token with redirection request) 
It would have been obvious to one of ordinary skill in the art to modify Williams 
for transmitting a session token and session state information to a second server as 
taught by Wood. One of ordinary skill in the art would have been motivated to 
employ the teachings of Wood to upgrade session credentials and maintain session 
continuity, (see Wood paragraph [0016], lines 11-16) 

Williams-Wood does not specifically disclose the transfer of a session ID parameter 
and a time and date (timestamp) parameter between two network connected 

systems (servers). 

However, LEVY discloses: for a); b): wherein including transmitting said session ID 
and timestamp directly to the second server. (LEVY paragraph [0070], lines 3-9: 
record is created; record consists of session_id, date and time (timestamp)) 
The explicit transfer of a session ID and a timestamp (both parameters) between 
network-connected systems is disclosed. 
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It would have been obvious to one of ordinary skill in the art to modify Williams- 
Wood for the transfer of a session ID parameter and time and date (timestamp) 
parameter as taught by LEVY. One of ordinary skill in the art would have been 
motivated to employ the teachings of LEVY to enable real-time monitoring of 
systems to greatly assist in the management of sessions between network- 
connected systems, (see LEVY paragraph [0027], lines 1-5) 

With Regards to Claims 2, 24, Williams discloses the method, computer program 

product claimed in claims 1, 23, further including creating a new session token, 
encrypting said new session token at the second server to produce a new encrypted 
session token, and transmitting a response to said browser from the second server, 
wherein said response includes said new encrypted session token, (see Williams 
paragraph [0016], lines 7-13; paragraph [0016], lines 4-7: generate new encrypted 
session token and transfer; paragraph [0016], lines 1-4: software implementation, 
program product) 

With Regards to Claims 3, 5, 15, 25, Williams discloses the method, system, computer 
program product claimed in claims 2, 13, 14, 23, 24, wherein said creating a new 
session token includes generating a new session ID and updating said timestamp. (see 
Williams paragraph [0062], lines 9-16; paragraph [0050], lines 1-5: session token, 
session ID and timestamp; paragraph [0016], lines 1-4: software implementation, 
program product) 
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With Regards to Claims 4, 16, 26, Williams discloses the method, system, computer 
program product claimed in claims 2, 14, 24, further including a step of updating a 
common session database by replacing said session information with said new session 
token in said common session database, (see Williams paragraph [0069], lines 9-15: 
database for session token information storage paragraph [0016], lines 1-4: software 
implementation, program product) 

Williams does not disclose the transfer of a session ID parameter and a time and date 
(timestamp) parameter between two network connected systems. 
However, LEVY discloses transmitting said session ID and timestamp directly to the 
second server. (LEVY paragraph [0070], lines 3-9: record is created; record consists of 
sessionjd, date and time (timestamp)) 

The explicit transfer of a session ID and a timestamp (both parameters) between 
network-connected systems is disclosed. 

It would have been obvious to one of ordinary skill in the art to modify Williams for 
the transfer of a session ID parameter and time and date (timestamp) parameter as 
taught by LEVY. One of ordinary skill in the art would have been motivated to employ 
the teachings of LEVY to enable real-time monitoring of systems to greatly assist in the 
management of sessions between network-connected systems, (see LEVY paragraph 
[0027], lines 1-5) 

Witli Regards to Claims 6, 18, 28, Williams discloses the method, system, computer 
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program product claimed in claims 1,17, 23, wherein a common session database 
contains a stored session ID and a stored timestamp, and wherein said verifying 
includes comparing said session ID and said timestamp with said stored session ID and 
said stored timestamp. (see Williams paragraph [0069], lines 9-15: database for session 
token information storage; paragraph [0062], lines 9-16; paragraph [0050], lines 1-5: 
session token, session ID and timestamp; paragraph [0020], lines 8-1 1 : verification 
session information paragraph [0016], lines 1-4: software implementation, program 
product) 

With Regards to Claims 9, 21, 31, Williams discloses the method, system, computer 
program product claimed in claims 1,13, 23, wherein said step of transmitting includes 
incorporating said session information into a URL. (see Williams paragraph [0044], lines 
8-12: URL processing techniques utilized paragraph [0016], lines 1-4: software 
implementation, program product) 

Williams-Wood does not specifically disclose incorporating a session ID parameter and 
a time and data (timestamp) parameter into a record. 

However, LEVY discloses incorporating said session ID and timestamp into a record. 
(LEVY paragraph [0070], lines 3-9: record is created; re cord consists of session_id, 

date and time (timestamp)) 

The explicit transfer of a session ID and a timestamp (both parameters) between 
network-connected systems is disclosed. 

It would have been obvious to one of ordinary skill in the art to modify Williams for 
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incorporating said a session ID parameter and a time and date (timestamp) parameter 
into a record as tauglit by LEVY. One of ordinary skill in the art would have been 
motivated to employ the teachings of LEVY to enable real-time monitoring of systems to 
greatly assist in the management of sessions between network-connected systems, 
(see LEVY paragraph [0027], lines 1-5) 

With Regards to Claims 10, 32, Williams discloses the method, computer program 
product claimed in claims 1 , 23, wherein a session management web service performs 
said step of verifying, said session management web service being accessible to said 
first server and said second server, and wherein said verifying includes comparing said 
session information with stored session data, (see Williams paragraph [0020], lines 8- 
11: session information verification paragraph [0016], lines 1-4: software 
implementation, program product) 

Williams does not specifically disclose transferring said session ID and time and date 
(timestamp) between systems. 

However, LEVY discloses transferring said session ID and timestamp between systems. 
(LEVY paragraph [0070], lines 3-9: record is created; record consists of session_id, 
date and time (timestamp)) 

The explicit transfer of a session ID and a timestamp (both parameters) between 
network-connected systems is disclosed. 

It would have been obvious to one of ordinary skill in the art to modify Williams for 
the transfer of session ID and time and date (timestamp) between systems as taught by 
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LEVY. One of ordinary skill in the art would have been motivated to employ the 
teachings of LEVY to enable real-time monitoring of systems to greatly assist in the 
management of sessions between network-connected systems, (see LEVY paragraph 
[0027], lines 1-5) 

With Regards to Claims 11, 33, Williams discloses the method, computer program 
product claimed in claims 10, 32, wherein the web farm further includes a common 
session database containing said stored session data, (see Williams paragraph [0013], 
lines 5-9; paragraph [0036], lines 3-4: web farms, set of interconnected web servers 
paragraph [0016], lines 1-4: software implementation, program product) 

With Regards to Claims 12, 22, 34, Williams discloses the method, system, computer 

program product claimed in claims 1,13, 23, wherein said requested web page includes 
a web resource selected from the group including an applet, an HTML page, a Java 
server page, and an Active server page, (see Williams paragraph [0044], lines 3-8; 
paragraph [0042], lines 8-15: protected resource, a HTML web page paragraph [0016], 
lines 1-4: software implementation, program product) 

With Regards to Claim 13, Williams discloses a system for secure session 
management, the system being coupled to a network and receiving a request for a 
requested web page from a browser via the network, the request including an encrypted 
session token, the system comprising: 



Application/Control Number: 10/733,326 Page 13 

Art Unit: 2436 

b) a second server including the requested web page; (see Willianns paragrapli 
[0013], lines 5-9: multiple servers; paragraph [0044], lines 3-8; paragraph [0042], 
lines 8-15: resource requested, a HTML web page) 

Furthermore, Williams discloses: 

c) a common session database including stored session data; (see Williams 
paragraph [0069], lines 9-15: database for session token information storage) 

Furthermore, Williams discloses the following: 

a) a first server including a first request handler for receiving the request and 
decrypting the encrypted session token to produce a session information, (see 
Williams paragraph [0013], lines 5-9; paragraph [0050], lines 10-16: multiple 
servers, encrypted; paragraph [0020], lines 8-1 1 : validate (i.e. must decrypt in 
order to process) session information) 

d) a session management web service, accessible to said first server and said 
second server and including a validation component for comparing said session 
token with said stored session data; (see Williams paragraph [0020], lines 8-1 1 : 
session verification information) 

Furthermore, Williams discloses wherein said first request handler adapted to 
transmit a redirect message to said browser, thereby redirecting the request to said 
second server, (see Williams paragraph [0067], lines 12-18: redirection capabilities) 



Williams does not specifically disclose the transfer of session state information 
between two servers. 
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However, Wood discloses: 

e) transmit the session information to said second server, (see Wood paragraph 
[0044], lines 8-14; paragraph [0051], lines 1-3: session token with redirection 
request; paragraph [0050], lines 15-17: direct transfer of parameters between two 

systems) 

It would have been obvious to one of ordinary skill in the art to modify Williams 
to enable including transmitting said session token to the second server as taught by 
Wood. One of ordinary skill in the art would have been motivated to employ the 
teachings of Wood in order to enable the capability to upgrade session credentials 
and maintain session continuity, (see Wood paragraph [0016], lines 11-16) 

Williams does not specifically disclose transmitting said session ID and timestamp 
between systems. 

However, LEVY discloses transmitting said session ID and timestamp between 
systems. (LEVY paragraph [0070], lines 3-9: record is created; re cord consists of 

session_id, date and time (timestamp)) 

The explicit transfer of a session ID and a timestamp (both parameters) between 
network-connected systems is disclosed. 

It would have been obvious to one of ordinary skill in the art to modify Williams 
for transmitting said session ID and timestamp between systems as taught by LEVY. 
One of ordinary skill in the art would have been motivated to employ the teachings of 
LEVY to enable real-time monitoring of systems to greatly assist in the management 
of sessions between network-connected systems, (see LEVY paragraph [0027], 
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lines 1-5) 

With Regards to Claim 14, Williams discloses the system claimed in claim 13, wherein 
said session management web service includes a token generator for creating a new 

session token for said second server, and wherein said second server includes a 
second request handler, said second request handler encrypting said new session 
token to produce a new encrypted session token and transmitting a response to said 
browser, wherein said response includes said new encrypted session token, (see 
Williams paragraph [0016], lines 7-10; paragraph [0016], lines 4-7: new session token 
generated and transferred; paragraph [0050], lines 10-16; paragraph [0051], lines 14- 
16: encrypted session token information) 

8. Claims 7, 8, 19, 20, 29, 30 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Williams-Wood-LEVY and further in view of Bachman et al. (US 
Patent No. 5,907,621). 

With Regards to Claims 7, 19, 29, Williams discloses the method, system, computer 
program product claimed in claims 1,14, 23. (see Williams paragraph [0050], lines 1-5 : 
time parameter usage and processing; paragraph [0016], lines 1-4: software 
implementation, program product) 

Williams does not specifically disclose a time out processing capability. 

However, Bachman discloses wherein including determining whether a session has 
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timed out, said step of determining including determining an elapsed time between said 
timestamp and a current server time, and comparing said elapsed time with a 
predetermined maximum time to determine whether said session has timed out. (see 
Bachman col. 1, lines 65-67: session management; col. 4, lines 11-17; col. 6, lines 10- 
19: process time out condition) 

It would have been obvious to one of ordinary skill in the art to modify Williams to 
process a time out condition as taught by Bachman. One of ordinary skill in the art 
would have been motivated to employ the teachings of Bachman to create a secure 
communications session between server and client systems and avoid distracting the 
client with the placement of token information within the page, (see Bachman col. 1 , 
lines 65-67; col. 2, lines 15-17) 

With Regards to Claims 8, 20, 30, Williams discloses the method, system, computer 
program product claimed in claims 7, 19, 29. (see Williams paragraph [0050], lines 1-5: 
time parameter usage and processing; paragraph [0016], lines 1-4: software 
implementation, program product) 

Williams does not specifically disclose a time out processing capability. 
However Bachman discloses wherein includes closing said session if said session has 
timed out. (see Bachman col. 1, lines 65-67: session management; col. 4, lines 11-17; 
col. 6, lines 10-19: process time out condition, session erased, closed) 

It would have been obvious to one of ordinary skill in the art to modify Williams to 
process a time out condition as taught by Bachman. One of ordinary skill in the art 
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would have been motivated to employ the teachings of Bachman to create a secure 
communications session between server and client systems and avoid distracting the 
client with the placement of token information within the page, (see Bachman col. 1 , 
lines 65-67; col. 2, lines 15-17) 

Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of 
time policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Carlton V. Johnson whose telephone number is 571- 
270-1032. The examiner can normally be reached on Monday thru Friday , 8:00 - 
5:00PM EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser Moazzami can be reached on 571-272-4195. The fax phone 
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number for the organization where this application or proceeding is assigned is 571- 
273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Nasser Moazzami/ Carlton V. Johnson 

Supervisory Patent Examiner, Art Unit 2436 Examiner 

Art Unit 2436 
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